SOURCE Conference Blog

SOURCE Boston 2008 featured some fantastic speakers, which made for a compelling event for both our attendees and even our board of advisors. In designing the scope and content for SOURCE Boston 2009 we realized that while we collectively have a great team of resources for filling speaking sessions we owe it to our attendees and our sponsors to cast a wider net and try to bring in the best speaking talent available. That said, today we’ve opened up a Call for Papers for next year’s event.

We’re still going to hold true to our focus of issues and trends relative to the business and technical scope of security, and we remain application security focused. CFPs will be reviewed by our advisory board and speakers will be notified before the end of the year.

The CFP really summarizes the details of what we are seeking but what I will say is that we are not looking for sales-oriented or vendor sales-oriented presentations. Those won’t even be considered. We want talks that focus in on the most pressing business and technology trends in security. Our audience last year was comprised of C-level executives, venture capital firms, security researchers and engineers. While there are many people in attendance who make buying decisions speaking sessions are not the time to reach them during SOURCE Boston. We believe in keeping the content as pure and educational as possible.’

Check out SOURCE Boston 2009′s current speaker list to see examples of what we’re seeking.

– Stacy Thayer

The L0pht panel at SOURCE Boston is live now — packed and standing room only. Weld Pond, John Tan, Mudge, Space Rogue, Silicosis and Dilldog are being interviewed by journalist Michael Fitzgerald on their histories, names, lessons learned and memories of L0pht, current gigs, whether or not security vendors are selling snake oil, and even the impact of trying to balance a hacking life and a personal life. For a play-by-play of Q&A visit @innismir on Twitter.

Weld Pond, John Tan, Mudge, Michael Fitzgerald (moderator), Space Rogue, Silicosis and Dilldog:

To reach members of L0pht visit http://lopht.com/.

Photo by Leigh Hollowell

Posted by Jennifer Leggio

James Atkinson of Granite Island Group has elevated professional paranoia to an art form.  In “Telephone Defenses Against the Dark Arts”, Jim delivered over two hours of solid, technical information- and held the audience’s attention to the very end of his engaging and informative presentation. After an introduction to the terminology and fundamentals of traditional telephone systems, Jim quickly went into the myriad of exposures in telephone systems and infrastructure.   The telephone companies’ near total lack of concern for security and privacy was made very clear as Jim showed images and recounted stories of systems and equipment left wide open or “secured” by a single common bolt through a door.  The layout and space available in telephone company boxes by the side of the road make very low tech eavesdropping simple; wiring is labeled and there is plenty of room to put a recorder inside the cabinet.  Several photos of compromised equipment were shown, with enough explanation to make it clear that you do not have to be an expert to eavesdrop on telephone conversations.

As the session continued, focus moved through numerous weak points in telephone security; addressing the telephone on the desk to the telephone company Central Office and everything in between.  The number of potential points of compromise is staggering, but it was also made clear that most IT people already have the skills needed to handle routine inspections.  Many simple listening devices can be found with a flashlight, a ladder, and a lot of patient investigation.  Tape recorders in suspended ceilings, stray wires in connection boxes and shiny things where they don’t belong are just a few of the things which can be found without any special skills or equipment.  (But I’m a tool junkie, so when he started talking about the Fluke 289 meter and Fluke 199c oscilloscope I added them to my wishlist). 

Once the X-rays of telephone equipment and close-ups of modified circuit boards came out (notice that there’s supposed to be a diode there, but someone replaced it with a capacitor…) we were headed into real spy vs. spy territory.  Tracking down covert channels requires identifying, mapping, and physically and electronically testing every conductor out of an area.  Even the conduit and grounds can be used to carry signal, and they have to be checked.  This is the type of work best left to the pros, but Jim showed and explained some of the techniques used to detect signals in wired and wireless eavesdropping systems.  Done properly, it takes the pros a few days per room to sweep for listening devices.

 VoIP (in)security has been beaten to death in many venues before, Jim didn’t dwell on it in this talk, but did remind the audience of some of the basic flaws and some best practices in VoIP.  He stressed were that using VoIP on a cable Internet connection was a very bad idea (shared medium, you neighbors might be able to listen to your conversations with tools we know and love such as Wireshark, Cain and Able, VoIPong, etc.).  Jim also stressed network segmentation, keeping the voice and data networks separate to minimize eavesdropping from computer systems on a shared network.

If you are interested in more information, the Granite Island Group’s website has thousands of pages of references and documentation on the topic, including a good FAQ.

- Jack Daniel

Financially motivated malware is forcing anti-malware vendors to dramatically change their strategies – from remodeling their antivirus labs to the way they market their solutions. At least that is the take of Andrew Jaquith, Yankee Group analyst, who discussed this critical need for change during his SOURCE Boston talk: “Not Dead But Twitching – Antivirus Succumbs to the Scourge of Modern Malware.”

In an industry where security vendors self-congratulate and loudly beat their chests about what they claim to protect against, Jaquith states that current AV protection models are failing as zero day exploits become more sophisticated and malware creators become further incentivized by financial gain.

“Everyone is losing ground,” he said. “Public bravado belies private anguish.”

Jaquith talked about neosploit designer malware (one signature, one victim) and low-and-slow malware feeding denial of service-type attacks against AV labs as just two reasons that these labs need to consider changing their models.

“Most of the antivirus labs prioritize what they go after based on the infections they hear about,” Jaquith said. He went on to say that is only further driving the attackers to send a lot of tiny viruses and change the signature and content enough to slip under the radar.

Despite years of security investments, enterprises are still at a 99 percent penetration rate for antivirus and 63 percent of enterprises suffered a malware outbreak that impaired business. Vendors themselves are citing that they’ve had more malware samples in the last year than in the previous 10 years combined. Throwing more security research engineer bodies at the problem is not going to solve it.

“Today’s antivirus model is losing effectiveness,” Jaquith said. “The enemy is using its infinite ability to scale against the limited capabilities of the AV lab.”

But the biggest problem, he states, is that anti-malware industry itself, calling out the industry’s unwillingness to admit it is losing the battle, to band together, to hush the marketeers and to truly measure the effectiveness of anti-malware efforts.

“Either no one is telling or no one knows – how come no vendors can tell us what percent of anti-malware customers have actually been infected?” he asked.

Herd intelligence (using every endpoint as a collector) with behavior blocking, and taking the old antivirus prevention strategy and leveraging it as a detection strategy are solutions that he suggests.

“Security people think of prevention, detection and response. What AV is good at is protection and how it is marketed. If what you market is silver bullets you are damning yourself to live and die by prevention while the industry is moving to detection and response,” he said.

During his talk, Jaquith cited several vendors who claim to stop “all” malware threats or protect against “any viruses.” There’s a danger in that, he said, as no vendor can guarantee to stop all threats with antivirus solutions, especially with the mounting offenses that malware creators are taking against the AV labs. He pushed for more responsible marketing among all anti-malware vendors.

“Part of this is about the industry growing up. Some of this is tough love but it’s meant to suggest we’ll get beyond the silver bullet.”

– Jennifer Leggio

Richard Clarke, opening keynote:

Mike Rothman — How Compliance Can Get You Killed

Dan Geer — Day 2 keynote

Michael Murray and Lee Kushner — Managing Your Network Security Career:

Photos by Raffael Marty

Posted by Jennifer Leggio

I don’t have a fancy car by any means but the one I do have is zippy and reliable. Shocking, considering that I am only reactive when it comes to maintenance and inspection. And while I know very little about cars to begin with, sometimes I try to evaluate for myself how critical it is that I obtain such necessary inspections. One can only imagine the car chaos that creates in my life.

Thankfully, most people are not like me – at least when it comes to vehicles. What about when it comes code? Yesterday, in his talk “Your Car Has Passed Inspection… But What About Your Software?”, Veracode CEO Matt Moynahan discussed how vendor self-certification and code audit is not enough to help protect against software security vulnerabilities. He issued a call to action for the software industry to require independent assessments – while simultaneously pointing out the current pitfalls in the industry that make this tough (lack of metrics, time consumption of manual code reviews and lack of vendor motivation).

While it’s not surprising that a leader of a vendor that helps companies evaluate and quantify their code bases suggests third-party software inspection, this call to action was bigger than Veracode. While his company might be the right one to take the lead on such action, what Moynahan proposed is an industry standard that requires the ability to quantify security risk for individual based on mission criticality. A Moodys for software, perhaps, that bases its independent assurance on industry standards (CWE, CVSS, NIST) and provides testing for both pre-deployment and deployment phases. This would require the both code providers and their customers to start demanding such inspections.

“Vendors need to take a pragmatic approach,” he said. “Prioritize your application security testing program based on the criticality of your applications.” He urged vendors to work collaboratively with their extended supply chains to promote application security – for the betterment of both developers and software buyers.

While I’m still learning about code audits and how applications are built, Moynahan certainly motivated me to do one thing – hand over responsibility of my vehicle inspections to someone more qualified. Perhaps the software industry could follow my lead.

- Jennifer Leggio

Today, Christofer Hoff and Rich Mogull gave a long-view presentation on security innovation.  As an audience member, I can say that the basic premise was that disruptive innovations in security are predictable, and that we are still not performing our job titles, namely “information” security.  Each of the trends we see in the security market today, namely NAC, DLP, and the like, are microtrends that drive us closer towards the end goal of actually securing information, but are not solutions in and of themselves.  In their view, as long as we continue to address individual mediums, namely the server, or the network, or the application, rather than the data and all its forms, we will spin out new efforts that are eventually consolidated until we become closer and closer to addressing the information it self.

– Adam J. O’Donnell, PhD

Pre-Con Cocktail Party…

And a little bit of lightsaber fun at the Core Security booth:

Photos by Oliver Day

All photos are licensed under Creative Commons BY-SA

Posted by Jennifer Leggio

As likely expected, Richard Clarke’s kickoff keynote at today’s SOURCE Boston created a lot of post-talk rumblings from the attendees. The former White House senior advisor, clearly still disenchanted with the Bush administration, talked once again about his belief of imminent net-centric warfare, the President’s new non-public cyber security directive, and why the word “regulation” is an expletive in Washington D.C.

Clarke cited the well-known DDoS attacks on Estonia and the reported Chinese government hacks of other governments as examples of how what used to be called paranoia has become, in reality, state-sponsored cyber war. And while there is truth to this, it’s certainly not news (if not a perceived catalyst for the U.S. government’s re-awakened interest in cyber security). Still, Clarke’s main beef appeared to be with President Bush’s recent signing of a directive that puts billions of dollars into several cyber security initiatives. Problem is, he says, that no one knows what those initiatives are.

Ah, but speculation makes for interesting discussion, even if it is only speculation. Clarke says that the Washington rumor mill is putting emphasis on securing the government’s own computer networks, going on the offense in cyber warfare, and perhaps a little investment in R&D.

He implied that once again that the current administration is missing the main problem by focusing Web traffic in such a way, arguing that there is no way to police and protect this data without potentially violating the privacy and civil rights of all Internet users – and ISPs for that matter. “We can no longer assume that our government is not violating the law or our privacy rights,” he said. He also talked again about the ethical impurities in potentially offensively hacking other countries, just because they may be hacking our sensitive networks.

He went on to say that government regulations be put in place to require ISPs to clean all of their data to solve at least 80 percent of cyber threat issues; and that also require the government itself to report vulnerabilities discovered to hospitals, corporations, universities and financial markets. But quite frankly, this seems like a moot effort. Considering the molasses rate at which the U.S. government moves, what are the chances that even if it is first to discover a vulnerability, that it could get it patched and communicated quickly enough to really protect high profile data? I’m no expert, but my guess is low.

Most of this isn’t new to folks who have seen Clarke speak before. And truthfully, while I agree with some of Clarke’s points, there seems to be a little bit of conflict. Pushing government regulations that would monitor all network traffic and put ISPs on the line to block applications and content while also arguing for civil rights and privacy, and even net neutrality, doesn’t mix in my mind. Then again, I’m certainly not going to pretend to be the right person to propose another alternative, either.

So, I ask – what do you think the government should or shouldn’t do? Should it take an offensive approach and is the “they are doing it, so should we” Cold War era approach to battle apply in cyber warfare as well?

– Jennifer Leggio

I’m sitting in the prep suite of SOURCE Boston with Stacy Thayer, Christian Rioux, Raffy Marty, Ryan Naraine, Adam O’Donnell, Rob Cheyne and Michael Maziarz. The energy among this cast of characters is intense yet positive. There’s a lot of excitement over the event, and while we might be a little biased (with the exception of Ryan, of course), it seems others have high expectations as well.

Earlier today Dennis Fisher over at Tech Target posed the question, “Can SOURCE Boston save us from boring security conferences?”

“But there’s a little bit of light at the end of the tunnel from a new conference called Source Boston that’s set for this week. The speaker lineup looks really solid and the topics are not your average big picture drivel. They’re getting down into the weeds to find some things that haven’t been covered a thousand times before.”

So come out to the con. It’s not to late to sign up, even for a day. There are cool evening networking events, too. If you can’t come check back here for coverage of the activities. Or follow us on Twitter @SOURCEBoston. At the very least, we can promise you won’t be bored.

– Jennifer Leggio